CVE-2026-30930

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.1

Description Glances, a cross-platform system monitoring tool, contains a flaw in its TimescaleDB export module. The module builds SQL queries by concatenating strings with unverified system monitoring data. The normalize() function encloses string values in single quotes but does not escape any embedded single quotes, which allows for trivial SQL injection. Attackers can control data like process names, filesystem mount points, network interface names, and container names to exploit this issue. The vulnerability resides in the normalize() function within glances/exports/glances timescaledb/ init .py (lines 79-93) and the query construction section (lines 201-205). A proof of concept demonstrates that a normal user can create a process with a name containing a SQL injection payload, and then, when Glances is started with TimescaleDB export, a file is created in the /tmp directory, indicating successful SQL injection. Potential impacts include data destruction, data exfiltration, potential remote code execution, and privilege escalation. The vulnerability is due to the direct execution of concatenated SQL queries without using parameterized queries.

Recommendations Versions prior to 4.5.1 should be updated to version 4.5.1 or later.